Hi All, Trying to setup CXF JAXRS with Kerberos authentication (Active Directory KDC), the CXF endpoint works fine however I'm unable to successfully authenticate once the Kerberos Filter is activated.
Using the sample code on the Apache CXF project homepage as a guide: http://cxf.apache.org/docs/jaxrs-kerberos.html My project cxf-servlet.conf file has the Kerberos filter enabled as per below: <bean id="kerberosFilter" class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter"> <property name="loginContextName" value="KerberosServer"/> </bean> <jaxrs:server> <jaxrs:serviceBeans> <bean class="org.mycompany.MyCompanyResource"/> </jaxrs:serviceBeans> <jaxrs:providers> <ref bean="kerberosFilter"> </jaxrs:providers> </jaxrs:server> My jaas.conf file has been placed in the /src/main/webapp/WEB-INF directory and contains the following: KerberosServer { com.sun.security.auth.module.Krb5LoginModule required storeKey=true; }; KerberosServerKeyTab { com.sun.security.auth.module.Krb5LoginModule required storeKey=true refreshKrb5Config=true useKeyTab=true keyTab="/etc/tomcat.keytab" principal="HTTP/<Hosting Workstation name>@<Valid REALM>"; }; However the following exception is received when making a call against the protected service: Jan 08, 2014 3:57:01 PM org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper toResponse WARNING: javax.ws.rs.NotAuthorizedException at org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.handleRequest(KerberosAuthenticationFilter.java:117) at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:208) at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:90) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239) at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:211) at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:724) My initial thought was that the jaas.conf wasn't being read and applied but even setting the java.security.auth.login.config variable in the tomcat setenv.sh script seemingly hasn't worked. Any ideas on why the above isn't working or how I can debug further? Thanks in advance.
